Skip to search

PocketIDOIDCClient

pocketid.internal / v1alpha1

apiVersion: pocketid.internal/v1alpha1 kind: PocketIDOIDCClient metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
spec defines the desired state of PocketIDOIDCClient
allowedUserGroups []object
AllowedUserGroups restricts access to the listed PocketIDUserGroups
name string
Name is the name of the PocketIDUserGroup CR
namespace string
Namespace is the namespace of the PocketIDUserGroup CR Defaults to the PocketIDOIDCClient namespace
apiAccess []object
APIAccess grants this client permission to request scoped access on the referenced PocketIDAPIs. The client is the sole owner of its API access in Pocket-ID: while this field is set the operator keeps the access in sync and clears it if the field is later emptied. When never set, existing API access configured out-of-band is left untouched.
apiRef object required
APIRef references the PocketIDAPI granting access.
name string required
Name is the name of the PocketIDAPI CR
namespace string
Namespace is the namespace of the PocketIDAPI CR Defaults to the referencing resource's namespace
clientPermissions []string
ClientPermissions are permission keys granted for the client-credentials (machine-to-machine) flow. These require a confidential client.
delegatedPermissions []string
DelegatedPermissions are permission keys granted for the user-delegated (authorization code) flow, where the client acts on behalf of a user.
callbackUrls []string
Callback URLs for the client
clientID string
ClientID is the optional OIDC client ID to use instead of a generated one The Client ID is immutable and cannot be changed once the oidc client is created
minLength: 2
maxLength: 128
clientSecretRotation object
ClientSecretRotation configures automatic, scheduled regeneration of the client secret. When unset the secret is only regenerated on create/adopt, on self-heal, or when the regenerate-client-secret annotation is set.
enabled boolean required
Enabled controls whether automatic rotation is active.
interval string
Interval is the minimum time between rotations (e.g. "720h" for 30 days). Must be between 1h and 8760h. When omitted, rotation is driven entirely by window (which then becomes required) and the secret rotates once per window opening.
window object
Window restricts rotations to a recurring maintenance window. When interval is set, rotations fire as soon as the interval and global min-spacing are satisfied, confined to the window when one is configured. When interval is omitted, the window opening is itself the trigger: the secret rotates once per opening (subject to min-spacing).
closesAfter string required
ClosesAfter is how long the window stays open after each cron fire. Minimum 5m.
opens string required
Opens is a standard 5-field cron expression (e.g. "0 1 * * *" for 1am daily, local TZ).
darkLogoUrl string
Dark logo URL for the client Deprecated: Use spec.logo.darkLogoUrl instead.
description string
Description is an optional description for the client
maxLength: 150
federatedIdentities []object
FederatedIdentities configures JWT assertion identities
audience string
Audience is the audience for the identity
issuer string
Issuer is the OIDC issuer for the identity
jwks string
JWKS is the URL or JSON for the identity's JWKS
subject string
Subject is the subject for the identity
instanceSelector object
InstanceSelector selects the PocketIDInstance to reconcile against. If omitted, the controller expects exactly one instance in the cluster.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
isPublic boolean
Indicates if the client is public (no client secret)
launchUrl string
Launch URL for the client
logo object
Logo configures logo URLs for the OIDC client with template support.
autoGenerate boolean
AutoGenerate controls whether to auto-generate logo URLs from templates when logoUrl/darkLogoUrl are not explicitly set in this struct. If not set, defaults to the AUTOGENERATE_LOGOS env var on the operator, which defaults to true.
darkLogoUrl string
DarkLogoURL is the URL template for the dark logo. Use as a placeholder for the logo name. Defaults to the DEFAULT_DARK_LOGO_URL env var on the operator.
logoUrl string
LogoURL is the URL template for the light logo. Use as a placeholder for the logo name. Defaults to the DEFAULT_LOGO_URL env var on the operator.
nameOverride string
NameOverride overrides the logo name used in template substitution. Defaults to metadata.name.
logoUrl string
Logo URL for the client Deprecated: Use spec.logo.logoUrl instead.
logoutCallbackUrls []string
Logout callback URLs for the client
name string
Name of the oidc client to create in Pocket ID. If omitted, defaults to metadata.name of the oidcclient resource.
pkceEnabled boolean
Enables PKCE for the client
requiresReauthentication boolean
Requires reauthentication on login
scim object
SCIM configures SCIM provisioning for this OIDC client. Pocket ID will push user/group changes to the configured endpoint.
endpoint string required
Endpoint is the URL of the external SCIM service provider.
tokenSecretRef object
TokenSecretRef references a Kubernetes Secret key containing the bearer token used to authenticate with the SCIM endpoint. If omitted, no Authorization header is sent.
key string required
The key of the secret to select from. Must be a valid secret key.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
optional boolean
Specify whether the Secret or its key must be defined
secret object
Secret defines how OIDC client credentials should be stored in a Kubernetes Secret.
additionalAnnotations object
AdditionalAnnotations allows setting custom annotations on the secret created by the PocketIDOIDCClient custom resource. Operator-managed annotations take precedence and cannot be overridden.
additionalLabels object
AdditionalLabels allows setting custom labels on the secret created by the PocketIDOIDCClient custom resource
enabled boolean
Enabled controls whether to create a secret with OIDC client credentials. If false, no secret will be created. Defaults to true
keys object
Keys allows customization of the secret keys for each credential field.
authorizationUrl string
AuthorizationURL is the key name for the OIDC authorization endpoint URL. Defaults to authorization_url
callbackUrls string
CallbackURLs is the key name for the callback URLs. Defaults to callback_urls
clientID string
ClientID is the key name for the OIDC client ID. Defaults to client_id
clientSecret string
ClientSecret is the key name for the OIDC client secret. Defaults to client_secret
discoveryUrl string
DiscoveryURL is the key name for the OIDC discovery URL. Defaults to discovery_url
endSessionUrl string
EndSessionURL is the key name for the OIDC end session (logout) endpoint URL. Defaults to end_session_url
issuerUrl string
IssuerURL is the key name for the OIDC issuer URL. Defaults to issuer_url
jwksUrl string
JwksURL is the key name for the OIDC JWKS (JSON Web Key Set) endpoint URL. Defaults to jwks_url
logoutCallbackUrls string
LogoutCallbackURLs is the key name for the logout callback URLs. Defaults to logout_callback_urls
tokenUrl string
TokenURL is the key name for the OIDC token endpoint URL. Defaults to token_url
userinfoUrl string
UserinfoURL is the key name for the OIDC userinfo endpoint URL. Defaults to userinfo_url
name string
Name is the name of the secret to create. Defaults to metadata.name + "-oidc-credentials"
storeClientSecret boolean
StoreClientSecret controls whether the operator manages the client secret. When false, the operator never regenerates an existing client secret: a client created by the operator still gets its initial secret minted and stored, while an adopted client keeps its externally-managed secret and the Secret omits the client_secret key. Defaults to true
skipConsent boolean
Skips the consent screen on initial authorization for this client
status object
status defines the observed state of PocketIDOIDCClient
allowedUserGroupIDs []string
AllowedUserGroupIDs are the resolved group IDs assigned to the client
callbackUrls []string
CallbackURLs are the current callback URLs from Pocket-ID
clientID string
ClientID is the ID assigned by Pocket-ID
conditions []object
Conditions represent the current state of the PocketIDOIDCClient resource.
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
createdAt string
CreatedAt is the creation timestamp from Pocket-ID
darkLogoReachable boolean
DarkLogoReachable indicates whether the dark logo URL was reachable when last checked.
darkLogoUrl string
DarkLogoURL is the last resolved dark logo URL that was applied to Pocket-ID.
lastRotatedAt string
LastRotatedAt is the time the client secret was last regenerated by the operator. Used to determine when the next scheduled rotation is due.
format: date-time
logoReachable boolean
LogoReachable indicates whether the light logo URL was reachable when last checked.
logoUrl string
LogoURL is the last resolved light logo URL that was applied to Pocket-ID.
logoutCallbackUrls []string
LogoutCallbackURLs are the current logout callback URLs from Pocket-ID
managedAPIPermissionIDs []string
ManagedAPIPermissionIDs are the Pocket-ID API permission IDs the operator last pushed as this client's API access (both delegated and client-credentials). Used to detect when spec.apiAccess is emptied so the access can be cleared.
name string
Name is the resolved name from Pocket-ID
pkceSupported boolean
PKCESupported indicates Pocket-ID observed the client using PKCE during an authorization flow while spec.pkceEnabled is false, signalling PKCE can be enabled.
scimProviderID string
SCIMProviderID is the pocket-id ID of the SCIM service provider for this client, if configured.

No matches. Try .spec.allowedUserGroups for an exact path